GCP Professional Cloud Architect Practice Question

A managed instance group of web servers runs in the prod-vpc network. Every VM is tagged web-frontend and is reached through an external HTTPS load balancer. The network currently has these firewall rules:

default-allow-internal (priority 65534, allow all protocols from 10.128.0.0/9, 172.16.0.0/12, 192.168.0.0/16)
default-deny-ingress (priority 65535, deny all)
allow-https-web (priority 1000, allow tcp:443 from 0.0.0.0/0 to targets tagged web-frontend)

A new policy states that the web servers must:

accept HTTPS only from 35.191.0.0/16 and 130.211.0.0/22 (load-balancer ranges)
allow SSH only from the on-premises subnet 10.10.0.0/24
block all other sources without affecting other prod-vpc workloads

Which approach satisfies these requirements with the fewest firewall changes?

Attach a Cloud Armor security policy to the load balancer that allows requests from 35.191.0.0/16, 130.211.0.0/22, and 10.10.0.0/24 and blocks all other sources. No firewall rule changes are needed.
Add an ingress deny rule (priority 900) that targets web-frontend and denies tcp:443 from 0.0.0.0/0 except 35.191.0.0/16 and 130.211.0.0/22. Add no other rules.
Delete default-allow-internal and allow-https-web. Create two new ingress allow rules that target web-frontend: one for tcp:443 from 35.191.0.0/16 and 130.211.0.0/22, and one for tcp:22 from 10.10.0.0/24. Rely on default-deny-ingress to block everything else.
Modify allow-https-web to permit tcp:443 only from 35.191.0.0/16 and 130.211.0.0/22, add an ingress allow rule (priority 1000) for tcp:22 from 10.10.0.0/24 to targets tagged web-frontend, then create an ingress deny all rule (priority 2000) that targets the web-frontend tag with source 0.0.0.0/0. Leave the default rules unchanged.

Report Issue

Answer Description

Editing the existing HTTPS rule so that it no longer allows all sources removes direct internet access while keeping the rule count low. Adding a separate SSH allow rule lets the operations subnet connect. Because the default-allow-internal rule (priority 65534) would still permit other RFC 1918 ranges, creating a targeted deny-all ingress rule with a lower priority number than 65534 ensures every packet not matched by the two precise allow rules is dropped only for VMs that carry the web-frontend tag. Other prod-vpc workloads keep using default-allow-internal because the new rules match only the tagged web servers. Deleting default-allow-internal (or relying on Cloud Armor) would risk breaking other internal traffic, and moving the servers to a new subnet is a larger change than required.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.